The European Commission on July 11, 2023 the Adequacy of the EU‑U.S. Data Privacy Framework. confirmed (Adequacy resolution). It has concluded that the US provides an adequate level of protection for personal data transferred from the EU to US companies participating in the Framework:
Article 1
For the purpose of Article 45 of Regulation (EU) 2016/679, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States that are included in the ‘Data Privacy Framework List’., maintained and made publicly available by the U.S. Department of Commerce, in accordance with Section I.3 of Annex I.
More information can be found on the Commission and Department of Commerce websites:
A List of certified companies leads the Department of Commerce. The recognition of adequacy is for certified companies immediately effective.
U.S.-based companies can be certified (and annually recertified) under the Framework by agreeing to comply with certain privacy obligations, such as purpose limitation, data minimization, storage limitation, and data security principles, and third party data sharing requirements. Compliance with these obligations is to be audited and enforced by the U.S. Department of Commerce and the Federal Trade Commission.
In Switzerland, SECO is in contact with the U.S. in order to find as quickly as possible a Swiss variant of the framework and to recognize it accordingly. Recognition will hopefully take place before the nDSG comes into force. Until then, companies must continue to rely on the SCC.
However, in our opinion they must No Transfer Impact Assessment (TIA) provided that the recipient is certified under the EU-US Framework, because the transfer to a recipient in the EU and from there as a onward transfer to the USA would also be permissible without TIA, and there is no apparent reason why a direct transfer to the USA – with the same result, albeit on the basis of the SCC – should not be treated in the same way. However, this presupposes that the recipient contractually undertakes to comply with the Framework vis-à-vis the Swiss exporter.
Once the CH-US framework is in place, personal data can be transferred to certified US recipients without the SCC. However, a contractual obligation to maintain the certification is then also recommended.